Skip to main content

Greetings

I manage OSX clients (mostly Lion and now Mountain Lion) in a mixed environment, all OSX clients bound to Active Directory and and default users do not have Admin rights to OSX. I wanted to allow users to turn proxy settings on and off, change time zones and a few other things. For that they need admin rights. There must be a way to grant standard users access to these parts of the system without given them admin rights over the whole OSX environment.

I been trying a few things in Casper without success. I tracked down a script that looked very promising from the collective efforts of the contributors to MacMule:

http://macmule.com/2012/05/13/unlocking-preference-panes-for-non-admin-users-on-10-6-10-7/

I just can't get this script to work. It runs if I replace the double square brackets on the first IF statement to single ones, but a standard mobile user is not given any rights to make changes to proxy, timezone etc. Has anyone managed to use this script or got the same results by other means. I need the solution to be deliverable from Casper automatically.

Regards

Hi Victor,

Thanks for checking out my site :)

Anyways, can you try the script below? (I'm going to move all my scrtipts to GiTHub as the formatting on wordpress sucks).

#!/bin/bash

#Backup the original authorization file
sudo /bin/cp /etc/authorization /etc/authorization.original.backup


if [[ "$OS" == "10.6" ]]; then
        #Modify /etc/authorization to allow any member of the everyone group access to unlock preferences
        sudo /usr/libexec/PlistBuddy -c "Set :rights:system.preferences:group everyone" /etc/authorization
        sudo /usr/libexec/PlistBuddy -c "Set :rights:system.preferences:shared true" /etc/authorization
        echo "Given rights to the everyone group to unlock secure system preferences for OS $OS..."
else    
        # Unlock System Preferences for non admins.
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences:group everyone' /etc/authorization
        # Unlock Accessibiltity preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.accessibility:group everyone' /etc/authorization
        # Unlock Accounts preference pane       
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.accounts:group everyone' /etc/authorization
        # Unlock Date & Time preference pane        
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group everyone' /etc/authorization
        # Unlock Energy Saver preference pane       
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.energysaver:group everyone' /etc/authorization
        # Unlock Network Settings preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.network:group everyone' /etc/authorization
        # Unlock Parental Controls preference pane      
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.parental-controls:group everyone' /etc/authorization
        # Unlock Print & Scan Preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.printing:group everyone' /etc/authorization
        # Unlock Security Preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.security:group everyone' /etc/authorization
        # Unlock Sharing Preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.sharing:group everyone' /etc/authorization
        # Unlock Software Update Preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.softwareupdate:group everyone' /etc/authorization
        # Unlock Startup Disk Preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.startupdisk:group everyone' /etc/authorization
        # Unlock Time Machine preference pane
        sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.timemachine:group everyone' /etc/authorization
fi

Also, with 10.6 > 10.7 apple did change the method, therefore i assume it's been changed again with 10.8 :(

So 1st things, get it working on 10.7 via a policy... then we could possibly look at 10.8.

There are also some things that even though you can seemingly change them still require admin permissions.. such as changing wireless network preference order.. which is a bit odd.

Anyways, reply on my site & i'll be able to get you email.. we can then update here once we've got the 10.7 part working.

I got them all to work on mountain lion except for the network one, any luck on that one?

The Network prefs pane wants an additional right, which you can grant to everyone like this:

sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.services.systemconfiguration.network:rule allow' /etc/authorization

Be sure you really want to do this.

I talk about granting additional rights to non-admin users in this presentation from MacSysAdmin 2012: http://documentation2.macsysadmin.se/2012/video/Day2Session7.m4v

I want to bring this up with another question.

I have seen the key system.preferences.security.remotepair that is important for us as we don't have any admin accounts for the users on our machines.

So we tried sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.security.remotepair:group everyone' /etc/authorization

But it failed with the error: Set: Entry, ":rights:system.preferences.security.remotepair:group", Does Not Exist

Any idea why this could be the reason?

Thanks a mill.

Hi

I tried to run the script for mountain Lion, it unlock the printing preference, but when i click to add a printer, prompt for Print Administrator username and password menu to key in. how do allow Managed,mobile account to add the printer without admin password

kiruarch - http://support.apple.com/kb/HT3511

I did the command below on a 10.7.5 machine and it doesn't change anything. I still can't change date and time preferences with the standard student account. sudo /usr/libexec/PlistBuddy -c 'Set :rights:system.preferences.datetime:group everyone' /etc/authorization

Terms & ConditionsCookie settingsAccessibility statement